FW: Event ID 644

[Paul Snedden <psnedden () GBMLOGIC COM AU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I originally sent this message to the How-To Security List (also a
part of SecurityFocus), but didn't receive any reasonable responses.
Perhaps the membership of this list might be able to shed a bit more
light.

Paul

> Last Friday afternoon (15:59), there is a group of entries in the
> Security Event Log of my PDCsaying that my personal domain acct had
> been locked out.  This, in itself, is nothing short of odd, but
> isn't the reason for this question.  The first three entries were
> identical, with the exception of the "Caller Machine", each of
> which had a different SID.  My first question is which machines
> would this be?  Do I have any way of finding this out?  I'm
> assuming one is my PDC, another would be my BDC, but what about the
> third?  Other than the PDC/BDC, I also have a RAS Server and a
> standalone server running IIS4 as a backend to our corporate
> website.  All servers are running NT4/SP6a(RC1.3), my PC is running
> NT4WS/SP6a(RC1.3).  So, what would the third entry be?  If there
> was 4, I would have assumed that it was the other two servers, but
> seeing as there is just one, would the third entry be my PC?
>
> The second half of my question is a bit more bizarre.  As I
> mentioned, there were six entries in the event log, in the order of
> (what I will call) "SID1", "SID2", "SID3".  These three entries
> were duplicated some 23 seconds later, in the same order as above
> (SID1, SID2, SID3).  Then, approximately an hour later, there was
> another eighteen(18) entries, these being in three groups of three,
> then duplicated 22 seconds later (just like it did above).  I will
> give details of one of the groups of three:
>
> SID1 had three events logged, one saying my User acct had been
> locked out and gave all the relevant details.  Looking at the
> "detail" section of the event, the top half of the screen showed
> "User" as my login name, and the "Computer" had the name of my PDC
> listed.  The bottom half showed the "Target Account ID" as being my
> login name, the "Caller User Name" had the name of my domain
> listed, and the "Caller User Name" had a hex string listed.
>
> The second and third entries that SID1 had showed the "User" as "NT
> AUTHORITY\ANONYMOUS", but the "Computer" still had the name of my
> PDC listed.  The "Target Account ID" was blank, and the "Caller
> User Name" showed a different hex string.
>
> This pattern was duplicated for both SID2 and SID3, then 22 seconds
> later, the entire pattern (of 9 entries) was duplicated.
>
> So.
>
> As Monday was a public holiday, I was more than a little surprised
> to see this when I came to work on Tuesday morning.  When you add
> in the fact that our building got broken into over the weekend, it
> just looks a little TOO scary.
>
> Can someone help me make sense of all this?

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

iQA/AwUBOjO16Xz2HXQUsCJOEQK1WQCfQkPiPBHgeVteKslLqHGNhRZXJ8IAoPSo
v0clbGYrJNGMgJkkv+HnjVt3
=3mnC
-----END PGP SIGNATURE-----